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During 1990, the Office of the Inforn ation and Privacy Commis- 
sioner conducted a review of AIDS-rel rsénal information 


in the public health sector. The review traced the flow of AIDS- 
related personal information between the Ministry of Health’s 
Public Health Branch, its Public Health Laboratories, and se- 
lected municipal Health Units. Five institutions were reviewed: 
two provincial - the Public Health Branch, Ministry of Health 
and the Central Laboratory, Ministry of Health; and three 
municipal health units - North York, East York and Simcoe. 


The purpose of the review was to ensure that the procedures and 
practices associated with the collection, retention, use and disclo- 
sure of AIDS-related personal information complied with the 
provisions of the Freedom of Information and Protection of Privacy 
Act,1987. We also reviewed the security practices associated with 
the storage of this information. 


Seven reports were prepared: five detailed reports which re- 
viewed the above-mentioned institutions, as well as “the Report- 
able Disease Information System” (RDIS), and an overall 
“Summary Report of Significant Findings”. RDIS is a system 
acquired by the Ministry of Health to automate the case manage- 
ment of its reportable diseases. The Summary Report outlines the 
significant findings and recommendations made in each of the 
detailed reports. We are pleased to report that no serious breaches 
of security were found. 


Objectives 


Specifically, our objectives were to ensure that AIDS-related 
personal information was: 


* Collected in accordance with the Act; 

* Processed in such a manner that records were accurate and up- 
to-date, in accordance with the Act; 

* Retained and disposed of in accordance with the Act and the 
regulations made thereunder; 

* Stored in a secure manner. 


(cont'd on next page) 
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Access 


Key to the Community, a conference devoted to major issues 
concerning freedom of information and protection of privacy 
took place in Toronto on September 28 and 29, 1990. The 
conference was the largest of its kind in North America and 
attracted more than 500 delegates. I had the pleasure of giving the 
keynote address and in my remarks I focused on the new Munici- 
pal Freedom of Information and Protection of Privacy Act and 
highlighted the role of the Commissioner’s office. 


I explained that this Act and other freedom of information 
statutes have changed the philosophy of access to information 
held by governments to a right from a privilege. It permits the 
public to decide what kind of information it wishes to have and 
provides the routes of access for the public to follow when 
information is not available through customary sources. It also 
places the onus on government to show why information should 
not be released. 


The Information and Privacy Commissioner in Ontario has 
much more authority than in most other systems. The Commis- 
sioner is an officer of the Legislature, independent of the govern- 
ment of the day, and has the power to independently review 
decisions of the government and make orders regarding the 
release of information which are final and binding. 


The role of the Commissioner is basically threefold: to review 
decisions made by governments regarding access to information; 
to ensure that governments are protecting the privacy of indi- 
viduals by correctly using personal information in their custody; 
and to educate the public about the provincial and municipal Acts 
so that citizens of Ontario are aware of the rights given to them 
by the legislation. 


There are some concrete differences between access and privacy. 
Access is very much requester-driven. A government organiza- 
tion may receive many or few requests for information depending 
on factors such as: the size and level of activity of the organiza- 
tion, the community’s level of interest in government and past 
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Recommendations 


In all, 27 recommendations were made. Generally, they related to 
procedural and operational matters. Overall, we felt that most 
HIV/AIDS-related personal information could be collected and 
stored anonymously instead of nominally. Among the specific 
recommendations were the following: 


* Because AIDS-related information is needed only for statistical 
purposes and epidemiological analysis, the Ministry of Health 
should discontinue its collection of personal identifiers associ- 
ated with this information; 


* Because the individual’s name and address are not required by 
the Public Health Branch of the Ministry of Health, subsection 
6(2) of Ontario Regulation 490/85 made pursuant to the Health 
Protection and Promotions Act should be amended to include 
AIDS as a disease for which the individual’s name should not 
be reported to the Ministry of Health. 


* With regard to the HIV Serology Requisition form: 


- adoctor should indicate whether or nota patient has given 
his or her consent to have HIV antibody testing con- 
ducted; 


- the form should be re-designed so the Central Labora- 
tory’s copy does not contain any nominal patient identifi- 
cation, such as the individual’s name; 


* All AIDS-related personal information should be dispatched 
by courier in unmarked envelopes under “‘private and confi- 
dential’? cover. 


In addition to the audit component of the review, the IPC also 
developed a flow chart of HIV/AIDS-related personal informa- 
tion, from the initial time of testing to the final test results and 
ultimate transmission of statistical information to the Federal 


Centre for AIDS. 
I would like to take this opportunity to thank the Ministry of 


Health and the participating health units for their assistance and 
co-operation. 


Ann Cavoukian, Ph.D. 
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practices of the organization with respect to making information 
available. 


Once an organization has the people and systems in place to deal 
with requests, the process becomes relatively straightforward. If 
the legislation is approached in the spirit in which it was written 
- that the public has the presumed right of access to general 
records and that exemptions from that right should be limited 
and specific, then organizations should be able to successfully 
comply with the Act. 


Just as institutions need to put people and systems in place to deal 
with access requests, systems of a different sort are required to 
ensure that the privacy of individuals is not being invaded. An 
institution has the responsibility of protecting personal informa- 
tion, regardless of whether or not it receives any access requests 
for the information. The privacy provisions of the Act require 
institutions to follow strict rules in collecting, using, disclosing, 
storing and disposing of personal information — all of which are 
intended to protect the privacy of the individuals concerned. 


Management Board of Cabinet and the staff from the Commis- 
sioner’s office have provided training sessions across the province 
on the municipal Act and have spoken to more than 4,000 people 
from municipal organizations. While I hope the sessions were 
worthwhile for those who attended, they were also valuable for 
the Commissioner’s office. A number of specific local concerns 
relating to both access and privacy were raised at the sessions and 
we are investigating those issues now, so we can be ready to 
address them. 


We are also sensitizing our staff to the special circumstances of 
municipalities, school boards and other local agencies so they can 
be more aware of issues and concerns at the local government 
level. 


I reminded delegates that reference material, both printed and 
audio-visual, has been developed by our office and Management 
Board to help local government organizations administer and 
understand the new Act. By January 1, we will have the benefit of 
three years’ experience with the provincial Act. We are looking 
forward to the implementation of the Municipal Freedom of 
Information and Protection of Privacy Actand the challenges it will 
bring. 


Tom Wright 


On December 13, 1990, Health Minister 
Evelyn Gigantes tabled a bill in the Legis- 
lature designed to protect the confidential- 
ity of Ontario’s health card numbers. 
Under this legislation, only the Ministry 
of Health and those who provide health 
care services, such as doctors and other 
health care practitioners, may require 
people to show their cards and use the 
health numbers. 


When the bill becomes law, it will pro- 
hibit individuals, businesses and organiza- 
tions from requiring people to provide 
their health number. It will also prohibit 
the collection of health numbers to obtain 
information from data banks or for credit 
checks. Anyone other than health care 
professionals who require a person to 
show his or her card are subject to fines or 
a jail term of up to two years. 


History 


Under the Freedom of Information and 
Protection of Privacy Act, 1987, one of the 
mandates of the Office of the Information 
and Privacy Commissioner is to comment 
on the privacy protection implications of 
proposed legislation and government pro- 
grams. In early 1990, the Commissioner’s 
Office initiated a series of discussions with 
senior officials at the Ministry of Health 
concerning how the new health number 
could present serious new threats to the 
privacy of Ontario residents. 


The discussions culminated in a letter to 
the former Minister of Health, in which 
the IPC emphasized the need to place 
controls on the use of the new number. We 
referred to Canada’s experience with the 
misuse of the Social Insurance Number 
(S.I.N.) to illustrate how a unique personal 
identifier could be abused if not ade- 
quately controlled at the time of introduc- 
tion. The IPC recommended that legisla- 
tion be introduced to restrict the use of the 
health number by the Ontario govern- 


In early December, Irwin Glasberg 
joined the Information and Privacy 
Commissioner as the new Director of 
Appeals. Over the last few years, he has 
held several positions with the Work- 
ers’s Compensation Board. In addition 
to implementing the Freedom of Informa- 
tion and Protection of Privacy Act at the 
WCB, he has served as General Counsel 
to the WCB, Executive Director of the 
Review Services Department, Executive 
Director of Policy and Program Devel- 
opment, and Executive Director of the 
Revenue Department. 


ment to specified health-related purposes 
and to prohibit its use by the private sec- 
tor. 


In her statement to the Legislature, Ms. 
Gigantes said: ‘“The right to individual 
privacy and the confidentiality of health 
information is far more important than 
the convenience to businesses and other 
organizations of having yet another way to 
establish the identity of individuals. We 
intend to protect the confidentiality of 
information associated with the provi- 
sions of health services.” Ms. Gigantes 
also announced the ministry’s commit- 
ment to introducing a wide-ranging health 
information privacy bill. 


The Office of the Information and Privacy 
Commissioner is extremely pleased that 
the government has introduced controls 
on the use of the new health number in 
such a timely fashion. We also look for- 
ward to further developments associated 
with the broader health care and informa- 
tion protection legislation expected in 
1771. 


Prior to joining the WCB, Mr. Glasberg 
was the Director of Appeals with the 
Occupational Health and Safety Divi- 
sion of the Ministry of Labour. 


One of Mr.Glasberg’s challenges will be 
to work with agency staff to identify 
situations where the present appeal 
process can be made more effective. This 
objective is particularly important since 
the workload of the Appeals depart- 
ment is expected to increase with the 
extension of the Act to municipalities. 


Update On IPC's 
Computerized Tracking System 


In December, a users’ manual and system software were mailed to 
all organizations which ordered the IPC’s FOIP Tracking Sys- 
tem. This system will assist in tracking access requests received 
under the Freedom of Information and Protection of Privacy Act, 
1987, and the Municipal Freedom of Information and Protection of 
Privacy Act, 1989. 


The purpose of the FOIP Tracking System is to allow coordina- 
tors to monitor requests and produce summary reports from a da- 
tabase of request information. In general terms, all the informa- 
tion recorded on Management Board of Cabinet’s Tracking and 
Recording Form will be accommodated and the annual, year-end 
report required by the IPC can be produced automatically. 


For any questions or problems regarding the new system, please 
phone the IPC HOT LINE answering machine at (416) 326-1989. 
Users are asked to leave a message briefly describing any problem 
or question. Please don’t forget to include your name, organiza- 
tion name, area code and telephone number and we will get back 
to you with an answer as soon as possible. 


Anyone who would like to order the tracking system should call 
the HOT LINE. The system is designed for IBM/PC or 100 per 
cent compatible machines. The system is provided free of charge. 


Reminder: Coordinators DO NOT need to track requests for 
access to records made in a customary manner. Only formal, 
written requests made under the Freedom of Information and 
Protection of Privacy Act, 1987 or the Municipal Freedom of Infor- 
mation and Protection of Privacy Act, 1989 should be recorded for 
the year-end report to the Commissioner. 


The Three Year Review 


The Standing Committee on the Legislative Assembly 
has scheduled its review on the Freedom of Information 
and Protection of Privacy Act, 1987, as amended, during 
the weeks commencing February 4-7, and February 25 
- 28, 1991. Anyone wishing to make a submission to the 
committee should contact: 


Mr. Douglas Arnott, Committee Clerk 

Standing Committee on the Legislative Assembly 
Room 1521, Whitney Block, 

Queen’s Park 

Toronto, Ontario 

M7A 1A2 

(416) 965-2491 


P 


Guidelines on Indirect Collection 


Both the provincial and municipal freedom of information and 
protection of privacy acts stipulate that personal information 
must be collected directly from the individual to whom it relates, 
except in specific and limited circumstances. Collection of this 
information from a source other than the person to whom it 
relates is called “indirect collection’’. 


The legislation recognizes that it is not always possible to collect 
personal information directly from the person to whom it relates 
and gives the Information and Privacy Commissioner the author- 
ity to approve the manner of collection if it is not directly from 
the individual. The task of the Commissioner is to identify and 
evaluate the various privacy implications of indirect collection. 


“Guidelines on Indirect Collection” have been created to assist in- 
stitutions in preparing applications for the Commissioner’s 
consideration. These guidelines should be regarded as the mini- 
mum standards, which may need to be supplemented as the 
circumstances require. They provide suggestions on issues which 
should be considered at the time a requesting institution first 
contemplates indirect collection. The document also discusses 
suggested topics to be included in an application to the Commis- 
sioner. Each component of the guidelines is described in detail so 
the requesting institution will understand what issues should be 
considered and what specific kinds of information need to be 
provided to the Commissioner. 


Institutions applying for authorization to collect information 
indirectly may obtain “Guidelines on Indirect Collection” from the 
Commissioner’s Office. 
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